Skip to content

Commit ace1e23

Browse files
RasmusWLRasmusWL
committed
Python: Move experimental ClientSuppliedIpUsedInSecurityCheck to new dataflow API
1 parent d948e10 commit ace1e23

1 file changed

Lines changed: 13 additions & 11 deletions

File tree

python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql

Lines changed: 13 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -16,29 +16,27 @@ import semmle.python.dataflow.new.DataFlow
1616
import semmle.python.dataflow.new.TaintTracking
1717
import semmle.python.ApiGraphs
1818
import ClientSuppliedIpUsedInSecurityCheckLib
19-
import DataFlow::PathGraph
19+
import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph
2020

2121
/**
2222
* A taint-tracking configuration tracing flow from obtaining a client ip from an HTTP header to a sensitive use.
2323
*/
24-
class ClientSuppliedIpUsedInSecurityCheckConfig extends TaintTracking::Configuration {
25-
ClientSuppliedIpUsedInSecurityCheckConfig() { this = "ClientSuppliedIpUsedInSecurityCheckConfig" }
26-
27-
override predicate isSource(DataFlow::Node source) {
24+
private module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig {
25+
predicate isSource(DataFlow::Node source) {
2826
source instanceof ClientSuppliedIpUsedInSecurityCheck
2927
}
3028

31-
override predicate isSink(DataFlow::Node sink) { sink instanceof PossibleSecurityCheck }
29+
predicate isSink(DataFlow::Node sink) { sink instanceof PossibleSecurityCheck }
3230

33-
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
31+
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
3432
exists(DataFlow::CallCfgNode ccn |
3533
ccn = API::moduleImport("netaddr").getMember("IPAddress").getACall() and
3634
ccn.getArg(0) = pred and
3735
ccn = succ
3836
)
3937
}
4038

41-
override predicate isSanitizer(DataFlow::Node node) {
39+
predicate isBarrier(DataFlow::Node node) {
4240
// `client_supplied_ip.split(",")[n]` for `n` > 0
4341
exists(Subscript ss |
4442
not ss.getIndex().(IntegerLiteral).getText() = "0" and
@@ -49,9 +47,13 @@ class ClientSuppliedIpUsedInSecurityCheckConfig extends TaintTracking::Configura
4947
}
5048
}
5149

50+
51+
/** Global taint-tracking for detecting "client ip used in security check" vulnerabilities. */
52+
module ClientSuppliedIpUsedInSecurityCheckFlow = TaintTracking::Global<ClientSuppliedIpUsedInSecurityCheckConfig>;
53+
5254
from
53-
ClientSuppliedIpUsedInSecurityCheckConfig config, DataFlow::PathNode source,
54-
DataFlow::PathNode sink
55-
where config.hasFlowPath(source, sink)
55+
ClientSuppliedIpUsedInSecurityCheckFlow::PathNode source,
56+
ClientSuppliedIpUsedInSecurityCheckFlow::PathNode sink
57+
where ClientSuppliedIpUsedInSecurityCheckFlow::flowPath(source, sink)
5658
select sink.getNode(), source, sink, "IP address spoofing might include code from $@.",
5759
source.getNode(), "this user input"

0 commit comments

Comments
 (0)